Method and apparatus for protecting legitimate traffic from DoS and DDoS attacks

ABSTRACT

An apparatus for protecting legitimate traffic from DoS and DDoS attacks has a high-priority ( 505 ) and a low-priority ( 506 ) queue. Besides, a queue information table ( 402 ) has STT (Source-based Traffic Trunk) service queue information of a specific packet. A queue coordinator ( 502 ) updates the queue information table ( 502 ) based on a load of a provided STT and a load of the high-priority queue ( 505 ). A packet classifier ( 504 ) receives a packet from the network access unit ( 508 ), investigates an STT service queue of the packet from the queue information table ( 502 ), selectively transfers the packet to the high-priority ( 505 ) or the low-priority ( 506 ) queue and provides information on the packet to the queue coordinator ( 503 ). A buffer ( 507 ) buffers outputs of the high-priority ( 505 ) and the low-priority ( 506 ) queue and provides outputs to the network ( 509 ) to be protected.

CROSS REFERENCE TO RELATED APPLICATION

This application is the National Phase application of InternationalApplication No. PCT/KR2003/000628, filed Mar. 28, 2003, which designatesthe United States and was published in English. This application, in itsentirety, is incorporated herein by reference.

FIELD OF THE INVENTION

The present invention relates to a method and apparatus for protectinglegitimate traffic from denial of service (hereinafter, referred to asDoS) and distributed denial of service (hereinafter, referred to asDDoS) attacks; and, more particularly, to a method and apparatus forprotecting the legitimate traffic from an enormous traffic volumegenerated by the DoS and DDoS attacks.

BACKGROUND OF THE INVENTION

A DoS attack concentrates large volume of traffic on a targetnetwork/server in a short time so that the target system is not able toprovide services. A DDoS attack, which is one type of DoS attack,concentrates traffic of multitude of attacking sites on the targetnetwork/server at once, and therefore, it is more difficult to detectand cut off.

According to attacking method, the DoS attacks are categorized intoattacks using characteristics of a TCP protocol and attacks for simplycongesting traffic.

Attacks using the characteristics of a TCP protocol are performed as athree-step operation of setting up a connection between a TCP client anda TCP server. First of all, the client sends a synchronous (SYN) packetto the server. Secondly, the server sends a synchronous acknowledge(SYN-ACK) packet to the client. As a final step, the client sends theACK packet to the server. A TCP SYN flooding attack is an example ofsuch attack, which keeps sending the SYN packet to the server butignores the SYN-ACK packet transmitted by the server.

Attacks for simply congesting traffic are divided into a UDP packetflooding attack, a ping flooding attack and a HTTP flooding attack.

Conventional techniques for cutting off such DoS attacks are describedas follows:

(1) a technique for improving an algorithm of a TCP protocol server

(2) a fair-queuing technique

(3) a rate-limit technique

The technique for improving the algorithm of the TCP protocol server isrestrictively used for cutting off conventional SYN packet floodingattacks, so that it is not able to avoid traffic congestion attacks.

The fair-queuing technique is used for controlling congestion and fairlydistributing resources (bandwidth) in a router.

FIG. 1 is a drawing for showing a basic algorithm of a conventionalfair-queuing. Each of transmitted packets is separated on a flow basisand sent to a next node by using a corresponding queue. In this case,queues are fairly distributed by using a round-robin service, so thateach queue is provided with 1/n of a total link bandwidth. While thetechnique is able to effectively cut off DoS attacks, DDoS attacks arenot completely avoidable. That is to say, the more increase the totalnumber of malicious flows, the more decrease the bandwidth shareallocated to legitimate flows.

The rate-limit technique cuts off not only TCP SYN flooding attacks butalso traffic congestion attacks.

FIG. 2 illustrates a basic algorithm of a conventional rate-limit. Therate-limit technique measures a bandwidth of specific flows. Then, ifthe measured value exceeds a maximum allowable bandwidth determined byan administrator, surplus packets are dropped. The technique has twodrawbacks. First, the administrator is required to check traffic of anetwork for a certain time in order to determine the maximum allowablebandwidth. Second, it is difficult to effectively cut off DDoS attacks.A power of the DDoS attacks is due to enormous traffic generated byconcentrating multitude of attacking sites on one target network/server,and therefore, a volume of traffic generated by each attack site is notconsiderable. In other words, since there is only a little differencebetween volumes of traffic generated by an attacking site and alegitimate site in the DDoS attacks, it is very difficult to determinethe maximum allowable bandwidth. For example, if the maximum allowablebandwidth is set low, both DDoS traffic and legitimate traffic can becut off.

As described above, the conventional techniques are effectively used tocut off the DoS attacks but not the DDoS attacks. Further, even if theDDoS attacks can be cut off, the legitimate traffic cannot be protected.

SUMMARY OF THE INVENTION

It is, therefore, an object of the present invention to provide a methodand apparatus for protecting legitimate traffic from DoS and DDoSattacks.

In accordance with the present invention, there is provided an apparatusconnected between a network access unit and a network to be protected,for protecting legitimate traffic from DoS and DDoS attacks, including:a high-priority queue; a low-priority queue; a queue information tablehaving specific STT service queue information of a specific packet; aqueue coordinator for updating the queue information table based on aload of a provided STT and a load of the high-priority queue; a packetclassifier for receiving a packet from the network access unit,investigating an STT service queue of the received packet from the queueinformation table, selectively transferring the received packet to thehigh-priority queue or the low-priority queue in accordance with aninvestigation result and providing information on the received packet tothe queue coordinator; and a buffer for buffering outputs of thehigh-priority queue and the low-priority queue and providing thebuffered outputs to the network to be protected.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other objects and features of the present invention willbecome apparent from the following description of preferred embodiments,given in conjunction with the accompanying drawings, in which:

FIG. 1 shows a basic algorithm of a conventional fair-queuing;

FIG. 2 illustrates a basic algorithm of a conventional rate-limit;

FIG. 3 provides a drawing for showing a typical DDoS attacks modeling;

FIG. 4 presents a drawing for illustrating a DDoS attacks modelingemploying a source-based traffic trunk (STT) in accordance with thepresent invention;

FIG. 5 represents a block diagram for showing a preferred embodiment ofan apparatus for protecting legitimate traffic from DoS and DDoS attacksin accordance with the present invention;

FIG. 6 offers a flowchart for illustrating a basic algorithm of a packetclassifier shown in FIG. 5;

FIG. 7 sets forth a flowchart for showing a basic algorithm of a queuecoordinator shown in FIG. 5;

FIG. 8A depicts a flowchart of a detailed algorithm of steps forreceiving packet information and calculating an average load of an STTcorresponding to a received packet in the basic algorithm of the queuecoordinator shown in FIG. 7;

FIG. 8B shows a flowchart of an algorithm of a step for resetting an STTservice queue based on the load of the STT in the basic algorithm of thequeue coordinator illustrated in FIG. 7;

FIG. 8C provides a flowchart of an algorithm of a step for calculatingan average load of a high-priority queue in the basic algorithm of thequeue coordinator illustrated in FIG. 7;

FIG. 8D provides a flowchart of an algorithm of a step for resetting anSTT service queue based on the load of the high priority queue in thebasic algorithm of the queue coordinator shown in FIG. 7;

FIG. 9A presents a drawing for representing a simulation result ofemploying the conventional fair-queuing against web server attacks usingDoS and DDoS; and

FIG. 9B represents a drawing for showing a simulation result ofemploying a traffic control technique in accordance with the presentinvention against web server attacks using the DoS and DDoS.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Hereinafter, preferred embodiments of the present invention will bedescribed in detail with reference to the accompanying drawings.

A flow-unit-processing of DoS and DDoS traffic causes a performance andattack-detection accuracy to be deteriorated and its load to beincreased. On the contrary, the present invention processes the DoS andDDoS traffic in a source-based traffic trunk (hereinafter, referred toas STT) unit, wherein the STT refers to a set of flows having a samenetwork address of a source. For instance, if the STT is composed of24-bit out of 32-bit IP address, every packet using source addressesfrom 168.188.44.0 to 168.188.44.255 belongs to the STT having a sourceaddress of 168.188.44.

FIG. 3 provides a drawing for showing a typical DDoS attacks modeling.FIG. 4 presents a drawing for illustrating a DDoS attacks modelingemploying a source-based traffic trunk (STT) in accordance with thepresent invention.

Sources of DDoS attacks are not uniformly distributed in entirenetworks, but centralized on certain local networks. Thus, it isimpossible for a hacker to perform a hacking on systems in every networkin the world to install DDoS attack software therein. Instead, a hackerusually intrudes a certain local network. Further, for example, even ifthe hacker intrudes an arbitrary system using a Nimda virus and performsDDoS attacks, it is still difficult for the virus to hide in a safenetwork, i.e., a network installed with a firewall, an intrusiondetection system, a virus vaccine application and the like, for acertain time. Accordingly, the virus is normally hidden in a lessprotected network. A cyber demonstration, which is a type of DDoSattacks, is also performed in certain local networks.

In comparison with a flow-typed method, the STT-typed method is able tomore simply and accurately determine whether traffic is legitimate ornot.

FIG. 5 represents a block diagram for showing a preferred embodiment ofan apparatus for protecting legitimate traffic from DoS and DDoS attacksin accordance with the present invention. A legitimate trafficprotection unit 501 comprises a queue information table 502, a queuecoordinator 503, a packet classifier 504, a high-priority queue 505, alow-priority queue 506 and a buffer 507, wherein the legitimate trafficprotection unit 501 is connected between a network access unit 508 and anetwork/server 509 to be protected.

When a packet is received from the network access unit 508, the packetclassifier 504 investigates an STT service queue of the packet from thequeue information table 502. According to the investigation result, thepacket is transferred to the high-priority queue 505 or the low-priorityqueue 506. Further, information on the packet is transferred to thequeue coordinator 503, wherein the information on the packet refers to apacket size, a packet arrival time and an index of the queue informationtable 502 for representing STT information of the packet and the like.

The queue coordinator 503 updates the queue information table 502 basedon a load of the received STT and a load of the high-priority queue 505.The queue information table 502 has fields including an STT ID, aservice queue, an average load, a recent load calculation time and atotal packet size.

A maximum load of both the high-priority queue 505 and the low-priorityqueue 506 is set to be a maximum allowable load of the network/server509 to be protected. For example, in case the maximum allowable load ofto-be-protected system is set to 100, a sum of total loads of both thehigh-priority queue 505 and the low-priority queue 506 should be set to100. If both the high-priority queue 505 and the low-priority queue 506have packets, a packet in the high-priority queue 505 is firstly served.

The buffer 507 buffers outputs of the high-priority queue 505 and thelow-priority queue 506 and sends the buffered outputs to thenetwork/server 509 to be protected.

FIG. 6 offers a flowchart for illustrating a basic algorithm of thepacket classifier 504 shown in FIG. 5.

The packet classifier 504 receives a packet from the network access unit508 (step 601) and then obtains an STT ID by using a source IP addressof the received packet (step 602). Next, the packet classifier 504searches for a service queue corresponding to the obtained STT ID fromthe queue information table 502 (step 603). According to theinvestigation result, the packet classifier 504 selectively transfersthe received packet to the high-priority queue 505 and the low-priorityqueue 506 (steps 604 to 606). Thereafter, the packet classifier 504transfers packet information to the queue coordinator 503.

FIG. 7 sets forth a flowchart for showing a basic algorithm of a queuecoordinator shown in FIG. 5.

The queue coordinator 503 receives packet information from the packetclassifier 504 (step 702) and calculates an average STT loadcorresponding to the received packet (step 703). Based on the calculatedaverage STT load, the queue coordinator 503 resets an STT service queue(step 704). Next, the queue coordinator 503 calculates an average loadof the high-priority queue 505 (step 705) and then resets a certain STTservice queue based on the calculated average load of the high-priorityqueue 505 (step 706). Thereafter, the queue coordinator 503 storesmodified STT information such as a modified average load and servicequeue in the queue information table 502 (step 707).

FIG. 8A depicts a flowchart of a detailed algorithm of steps forreceiving packet information (step 702) and calculating an average loadof an STT corresponding to a received packet (step 703) in the basicalgorithm of the queue coordinator 503 shown in FIG. 7.

The queue coordinator 503 receives packet information on a packet size,a packet arrival time, a queue information table index, a correspondingSTT and the like from the packet classifier (step 802) and thencalculates a total packet size based on the received packet information(step 803), wherein the total packet size is a sum of a previous totalpacket size and a received packet size. Next, the queue coordinator 503checks whether it is time to recalculate an average load (step 804).According to the check result, if it is time to recalculate the averageload, the queue coordinator 503 calculates a new average load by using aprevious average load and a current average load based on the totalpacket size (step 805). In other words, the average load is calculatedas follows: average load=(previous average load*α+total packetsize)/((packet arrival time−recent load calculation time)*(1−α)),wherein α is larger than 0 but smaller than 1, i.e., 0<α<1. In thiscase, a time cycle for calculating the load is predetermined by a user.According to the check result of the step 804, if it is not the time torecalculate the average load, the queue coordinator 503 executes an STTservice queue determination algorithm using the STT load value (step806) without performing the step 805.

FIG. 8B shows a flowchart of an algorithm of a step for resetting an STTservice queue based on the load of the STT (step 704) in the basicalgorithm of the queue coordinator 503 illustrated in FIG. 7. Thealgorithm in FIG. 8 b is carried out whenever a packet is arrived. Apurpose of the algorithm is to make an STT of a high average load usethe low-priority queue 506 and an STT of a low average load use thehigh-priority queue 505. Accordingly, DoS and DDoS traffic are supposedto use the low-priority queue.

The queue coordinator 503 checks whether or not the high-priority queue505 is in a congested state (step 808). According to the check result,if the high-priority queue 505 is in a congested state, it is checkedwhether an STT load of a received packet is greater than an allowableload (step 809). According to the check result of the step 809, if theSTT load of the received packet is greater than the allowable load, aservice queue of the STT of the received packet is set to be thelow-priority queue 506 (step 810), wherein the allowable load refers to“(an average load of the high-priority queue 505)/(the number of STTusing the high-priority queue 505 during a recalculation of the averageload)”. Thus, a plurality of STT that may correspond to DDoS traffic issupposed to concentrate on the low-priority queue 506 rapidly. The queuecoordinator 503 checks whether the service queue of the STTcorresponding to the received packet is a high-priority queue or alow-priority queue (step 811). According to the check result of the step811, if the service queue of the STT corresponding to the receivedpacket is a high-priority queue, an STT using a low-priority queue israndomly chosen from the queue information table 502 (step 812). Next,the queue coordinator 503 compares an average load of the STTcorresponding to the received packet with an average load of therandomly chosen STT (step 813). According to the comparison result, ifthe average load of the STT corresponding to the received packet isgreater than that of the randomly chosen STT, a queue of an STT having alow load is set to high-priority and that of an STT having a high loadis set to low-priority (step 814). According to the check result of thestep 811, if the service queue of the STT corresponding to the receivedpacket is a low-priority queue, an STT using a high-priority queue israndomly chosen from the queue information table 502 (step 815). Thequeue coordinator compares an average load of the STT corresponding tothe received packet with that of the randomly chosen STT (step 816).According to the comparison result, if the average load of the STTcorresponding to the received packet is smaller than that that of therandomly chosen STT, a queue of an STT having a low load is set tohigh-priority and that of an STT having a high load is set tolow-priority (step 817). Accordingly, legitimate traffic and the DDoStraffic are respectively supposed to use a high-priority queue and alow-priority queue.

FIG. 8C provides a flowchart of an algorithm of a step for calculatingan average load of the high-priority queue 505 (step 705) in the basicalgorithm of the queue coordinator 503 illustrated in FIG. 7. Suchalgorithm is only carried out when a service queue of a received packetis a high-priority queue.

The queue coordinator 503 determines an STT service queue on the basisof an STT load (step 819) and then checks whether the service queue usedby the received packet is a high-priority queue or a low-priority queue(step 820). As a result of the step 820, if the service queue used bythe received packet is a high-priority queue, a total size of packetsserved through the high-priority queue is calculated (step 821). Next,the queue coordinator 503 checks whether it is time to recalculate aload (step 822). According to the check result, if it is time torecalculate the load, an average load of the high-priority queue iscalculated (step 823). Then, the queue coordinator 503 resets a certainSTT service queue on the basis of the load of the high-priority queue(step 824), to thereby store modified STT information in the queueinformation table 502 (step 825).

FIG. 8D provides a flowchart of an algorithm of a step for resetting anSTT service queue based on the load of the high priority queue (step706) in the basic algorithm of the queue coordinator 503 shown in FIG.7, wherein the algorithm is executed whenever the average load of thehigh-priority queue is calculated.

The queue coordinator 503 calculates the average load of thehigh-priority queue (step 826) and checks a load state of thehigh-priority queue, e.g., a congested state, an idle state or a stablestate (step 827). If the load of the high-priority queue is in thecongested state, an STT using the high-priority queue is randomly chosenand a queue of the STT is set to low-priority (steps 828 and 829).Meanwhile, if the load thereof is in the idle state, an STT using alow-priority queue is randomly chosen and a queue of the STT is set tohigh-priority (steps 830 and 831). If the load thereof is in the stablestate or the steps 829 to 831 have already been performed, modified STTinformation is stored in the queue information table 502 (step 832). Asa result, the high-priority queue is able to maintain a stable loadthereof. Further, STT using the high-priority queue, i.e., legitimatetraffic, can be of high quality.

FIG. 9A presents a drawing for representing a simulation result ofemploying the conventional fair-queuing against web server attacks usingDoS and DDoS. FIG. 9B represents a drawing for showing a simulationresult of employing a traffic control technique in accordance with thepresent invention against web server attacks using the DoS and DDoS.

In prior arts, legitimate traffic is influenced by both the DoS and DDoSattacks as shown in FIG. 9A. However, both the DoS and DDoS attackshardly have influence on the legitimate traffic in the present inventionas illustrated in FIG. 9B.

The present invention checks traffic on an STT basis instead of on aflow basis, so that a load can be more accurately measured withoutinfluencing on a performance of an apparatus. Whenever a packet of anSTT is received, it is checked whether the specific STT is DDoS trafficor legitimate traffic. Accordingly, the DDoS traffic is quickly set to alow-priority queue as shown in 8 b. Although traffic is dramaticallyincreased due to the DDoS attacks, a load of a high-priority queue usedby legitimate traffic is constantly maintained. As a result, a loss ofthe legitimate traffic can be minimized as illustrated in FIG. 8 b to 8d. The present invention has an additional merit that even when aconsiderable traffic is generated by a specific system, if there issufficient network resource to accept it, the traffic can be servedthrough high-priority queue.

While the invention has been shown and described with respect to thepreferred embodiments, it will be understood by those skilled in the artthat various changes and modifications may be made without departingfrom the spirit and scope of the invention as defined in the followingclaims.

1. An apparatus connected between a network access unit and a network tobe protected, for protecting legitimate traffic from DoS (denial ofservice) and DDoS (distributed denial of service) attacks, saidapparatus comprising: a hardware unit which is connected between thenetwork access unit and the network to be protected; said hardware unitcomprising: a high-priority queue; a low-priority queue; a queueinformation table having, for each specific STT (source-based traffictrunk), previous load information, and a service queue for a specificpacket having the specific STT, wherein the service queue is thehigh-priority queue or the low-priority queue; a packet classifier for(a) obtaining an STT of a packet received from the network access unitbased on a source IP address of the received packet; (b) searching thequeue information table for the service queue corresponding to the STTof the received packet and checking, by the packet classifier, whetherthe service queue is the high-priority queue or the low-priority queue;(c) transferring the received packet to the high-priority queue if theservice queue is the high-priority queue in the step (b); (d)transferring the received packet to the low-priority queue if theservice queue is the low-priority queue in the step (b); and (e)transferring packet information on the received packet to a queuecoordinator; said queue coordinator for (f) updating the service queueassociated with the STT of the received packet in the queue informationtable, wherein said updating is based on (i) a load of the receivedpacket and (ii) the previous load information stored in the queueinformation table in association with the STT of the received packet;wherein said updating at (f) comprises: (a′) calculating an average loadof the STT of the received packet based on the packet informationtransferred from the packet classifier; (b′) selectively resetting theservice queue associated with the STT of the received packet dependingon the calculated average load of the STT of the received packet; and(c′) storing the selectively reset service queue in the queueinformation table; and wherein said selectively resetting at (b′)further includes: (b′1) setting the service queue associated with theSTT of the received packet to be the low-priority queue if thecalculated average load of the STT of the received packet is greaterthan an allowable load when the high-priority queue is in a congestedstate; (b′2) randomly choosing a first STT, which uses the low-priorityqueue, from the queue information table if the service queue associatedwith the STT of the received packet is the high-priority queue; (b′3)following the step (b′2), setting a service queue associated with therandomly chosen first STT to be the high-priority queue and the servicequeue associated with the STT of the received packet to be thelow-priority queue if the average load of the STT of the received packetis greater than that of the randomly chosen first STT; (b′4) randomlychoosing a second STT, which uses the high-priority queue, from thequeue information table if the service queue associated with the STT ofthe received packet is the low-priority queue; and (b′5) following thestep (b′4), setting the service queue associated with the STT of thereceived packet to be the high-priority queue and a service queueassociated with the randomly chosen second STT to be the low-priorityqueue if the average load of the STT of the received packet is smallerthan that of the randomly chosen second STT; and a buffer for bufferingoutputs of the high-priority queue and the low-priority queue andproviding the buffered outputs to the network to be protected.
 2. Theapparatus of claim 1, wherein the network to be protected comprises aserver.
 3. The apparatus of claim 1, wherein the information on thereceived packet includes a packet size, a packet arrival time and an STTindex representing the STT of the received packet.
 4. The apparatus ofclaim 1, wherein the queue information table has fields including: anSTT ID field, a service queue field, an average load field, a recentload calculation time field, and a total packet size field.
 5. Theapparatus of claim 1, wherein a maximum load of both the high-priorityqueue and the low-priority queue is set to be a maximum allowable loadof the network to be protected.
 6. The apparatus of claim 5, wherein thenetwork to be protected comprises a server.
 7. The apparatus of claim 1,further comprising at least a network interface for network connectionto the network access unit and the network to be protected.
 8. A methodof protecting legitimate traffic from DoS (denial of service) and DDoS(distributed denial of service) attacks, said method performed by anapparatus which is a hardware unit connected between a network accessunit and a network to be protected and including: a queue informationtable having, for each specific STT (source-based traffic trunk),previous load information, and a service queue for a specific packethaving the specific STT, wherein the service queue is a high-priorityqueue or a low-priority queue, a queue coordinator, and a packetclassifier, the method comprising the steps of: (a) obtaining, by thepacket classifier in said hardware unit, an STT of a packet receivedfrom the network access unit based on a source IP address of thereceived packet; (b) searching, by the packet classifier, the queueinformation table for the service queue corresponding to the STT of thereceived packet and checking, by the packet classifier, whether theservice queue is the high-priority queue or the low-priority queue; (c)transferring, by the packet classifier, the received packet to thehigh-priority queue if the service queue is the high-priority queue inthe step (b); (d) transferring, by the packet classifier, the receivedpacket to the low-priority queue if the service queue is thelow-priority queue in the step (b); (e) transferring, by the packetclassifier, packet information on the received packet to the queuecoordinator; and (f) updating, by the queue coordinator in said hardwareunit, the service queue associated with the STT of the received packetin the queue information table, wherein said updating is based on (i) aload of the received packet and (ii) the previous load informationstored in the queue information table in association with the STT of thereceived packet; wherein the step (f) comprises the following stepsperformed by the queue coordinator: (a′) calculating an average load ofthe STT of the received packet based on the packet informationtransferred from the packet classifier; (b′) selectively resetting theservice queue associated with the STT of the received packet dependingon the calculated average load of the STT of the received packet; (c′)calculating an average load of the high-priority queue; (d′) selectivelyresetting a service queue associated with a certain STT depending on thecalculated average load of the high-priority queue; and (e′) storing theselectively reset service queue in the queue information table; andwherein the step (b′) further includes the steps of: (b′1) setting theservice queue associated with the STT of the received packet to be thelow-priority queue if the calculated average load of the STT of thereceived packet is greater than an allowable load when the high-priorityqueue is in a congested state; (b′2) randomly choosing a first STT,which uses the low-priority queue, from the queue information table ifthe service queue associated with the STT of the received packet is thehigh-priority queue; (b′3) following the step (b′2), setting a servicequeue in said hardware unit associated with the randomly chosen firstSTT to be the high-priority queue and the service queue associated withthe STT of the received packet to be the low-priority queue if theaverage load of the STT of the received packet is greater than that ofthe randomly chosen first STT; (b′4) randomly choosing a second STT,which uses the high-priority queue, from the queue information table ifthe service queue associated with the STT of the received packet is thelow-priority queue; and (b′5) following the step (b′4), setting theservice queue associated with the STT of the received packet to be thehigh-priority queue and a service queue associated with the randomlychosen second STT to be the low-priority queue if the average load ofthe STT of the received packet is smaller than that of the randomlychosen second STT.
 9. The method of claim 8, wherein the step (c′)further includes the steps of: (c′1) determining whether the servicequeue associated with the STT of the received packet after the selectiveresetting in the step (b′) is the high-priority queue or thelow-priority queue; (c′2) calculating a total packet size served throughthe high-priority queue if the service queue associated with the STT ofthe received packet is the high-priority queue; (c′3) calculating theaverage load of the high-priority queue if it is time to recalculate theaverage load of the high-priority queue; and (c′4) proceeding to thestep (d′).
 10. The method of claim 8, wherein the network to beprotected comprises a server.
 11. The method of claim 8, wherein thestep (e′) further comprises: storing a modified average load in thequeue information table.
 12. The method of claim 8, wherein the step(a′) further includes the steps of: (a′1) calculating a total packetsize based on the packet information transferred from the packetclassifier; (a′2) checking whether it is time to recalculate the averageload; (a′3) if it is time to recalculate the average load in the step(a′2), calculating a new average load by using (i) a previous averageload and (ii) a current average load based on the total packet size, andthen proceeding to the step (b′); and (a′4) if it is not time torecalculate the average load, proceeding to the step (b′).
 13. Themethod of claim 12, wherein the packet information includes a packetsize, a packet arrival time, and an STT index corresponding to the STTof the received packet.
 14. The method of claim 8, wherein the apparatusfurther comprises at least a network interface in network connectionwith the network access unit and the network to be protected.
 15. Amethod of protecting legitimate traffic from DoS (denial of service) andDDoS (distributed denial of service) attacks, said method performed byan apparatus which is a hardware unit connected between a network accessunit and a network to be protected and including: a queue informationtable having, for each specific STT (source-based traffic trunk),previous load information, and a service queue for a specific packethaving the specific STT, wherein the service queue is a high-priorityqueue or a low-priority queue, a queue coordinator, and a packetclassifier, the method comprising the steps of: (a) obtaining, by thepacket classifier in said hardware unit, an STT of a packet receivedfrom the network access unit based on a source IP address of thereceived packet; (b) searching, by the packet classifier, the queueinformation table for the service queue corresponding to the STT of thereceived packet and checking, by the packet classifier, whether theservice queue is the high-priority queue or the low-priority queue; (c)transferring, by the packet classifier, the received packet to thehigh-priority queue if the service queue is the high-priority queue inthe step (b); (d) transferring, by the packet classifier, the receivedpacket to the low-priority queue if the service queue is thelow-priority queue in the step (b); (e) transferring, by the packetclassifier, packet information on the received packet to the queuecoordinator; and (f) updating, by the queue coordinator in said hardwareunit, the service queue associated with the STT of the received packetin the queue information table, wherein said updating is based on (i) aload of the received packet and (ii) the previous load informationstored in the queue information table in association with the STT of thereceived packet; wherein the step (f) comprises the following stepsperformed by the queue coordinator: (a′) calculating an average load ofthe STT of the received packet based on the packet informationtransferred from the packet classifier; (b′) selectively resetting theservice queue associated with the STT of the received packet dependingon the calculated average load of the STT of the received packet; (c′)calculating an average load of the high-priority queue; (d′) selectivelyresetting a service queue associated with a certain STT depending on thecalculated average load of the high-priority queue; and (e′) storing theselectively reset service queue in the queue information table; andwherein the step (d′) includes the steps of: (d′1) obtaining thecalculated average load of the high-priority queue from the step (c′);(d′2) randomly choosing one STT, which uses the high-priority queue, andsetting a service queue of the randomly chosen STT to the low-priorityqueue if the calculated average load of the high-priority queueindicates that the high-priority queue is in a congested state; (d′3)randomly choosing one STT, which uses the low-priority queue, andsetting a service queue of the randomly chosen STT to the high-priorityqueue if the calculated average load of the high-priority queueindicates that the high-priority queue is in an idle state; and (d′4)proceeding to the step (e′) if the calculated average load of thehigh-priority queue indicates that the high-priority queue is in astable state or when one of the steps of (d′2) and (d′3) is performed.16. A method of protecting legitimate traffic from DoS (denial ofservice) and DDoS (distributed denial of service) attacks, said methodperformed by an apparatus which is a hardware unit connected between anetwork access unit and a network to be protected and including: a queueinformation table having, for each specific STT (source-based traffictrunk), previous load information, and a service queue for a specificpacket having the specific STT, wherein the service queue is ahigh-priority queue or a low-priority queue, a queue coordinator, and apacket classifier, the method comprising the steps of: (a) obtaining, bythe packet classifier in said hardware unit, an STT of a packet receivedfrom the network access unit based on a source IP address of thereceived packet; (b) searching, by the packet classifier, the queueinformation table for the service queue corresponding to the STT of thereceived packet and checking, by the packet classifier, whether theservice queue is the high-priority queue or the low-priority queue; (c)transferring, by the packet classifier, the received packet to thehigh-priority queue if the service queue is the high-priority queue inthe step (b); (d) transferring, by the packet classifier, the receivedpacket to the low-priority queue if the service queue is thelow-priority queue in the step (b); (e) transferring, by the packetclassifier, packet information on the received packet to the queuecoordinator; and (f) updating, by the queue coordinator in said hardwareunit, the service queue associated with the STT of the received packetin the queue information table, wherein said updating is based on (i) aload of the received packet and (ii) the previous load informationstored in the queue information table in association with the STT of thereceived packet; wherein the step (f) comprises the following stepsperformed by the queue coordinator: (a′) calculating an average load ofthe STT of the received packet based on the packet informationtransferred from the packet classifier; (b′) selectively resetting theservice queue associated with the STT of the received packet dependingon the calculated average load of the STT of the received packet; and(c′) storing the selectively reset service queue in the queueinformation table; and wherein the step (b′) further includes the stepsof: (b′1) setting the service queue associated with the STT of thereceived packet to be the low-priority queue if the calculated averageload of the STT of the received packet is greater than an allowable loadwhen the high-priority queue is in a congested state; (b′2) randomlychoosing a first STT, which uses the low-priority queue, from the queueinformation table if the service queue associated with the STT of thereceived packet is the high-priority queue; (b′3) following the step(b′2), setting a service queue associated with the randomly chosen firstSTT to be the high-priority queue and the service queue associated withthe STT of the received packet to be the low-priority queue if theaverage load of the STT of the received packet is greater than that ofthe randomly chosen first STT; (b′4) randomly choosing a second STT,which uses the high-priority queue, from the queue information table ifthe service queue associated with the STT of the received packet is thelow-priority queue; and (b′5) following the step (b′4), setting theservice queue associated with the STT of the received packet to be thehigh-priority queue and a service queue associated with the randomlychosen second STT to be the low-priority queue if the average load ofthe STT of the received packet is smaller than that of the randomlychosen second STT.
 17. The method of claim 16, wherein the step (f)further comprises the following steps performed by the queue coordinatorafter the steps (a′) and (b′) and before the step (c′): (d′) calculatingan average load of the high-priority queue; and (e′) selectivelyresetting a service queue associated with a certain STT depending on thecalculated average load of the high-priority queue.
 18. The method ofclaim 17, wherein the step (e′) includes the steps of: (e′1) obtainingthe calculated average load of the high-priority queue from the step(d′); (e′2) randomly choosing one STT, which uses the high-priorityqueue, and setting a service queue of the randomly chosen STT to thelow-priority queue if the calculated average load of the high-priorityqueue indicates that the high-priority queue is in a congested state;(e′3) randomly choosing one STT, which uses the low-priority queue, andsetting a service queue of the randomly chosen STT to the high-priorityqueue if the calculated average load of the high-priority queueindicates that the high-priority queue is in an idle state; and (e′4)proceeding to the step (c′) if the calculated average load of thehigh-priority queue indicates that the high-priority queue is in astable state or when one of the steps of (e′2) and (e′3) is performed.19. The method of claim 18, wherein the step (d′) further includes thesteps of: (d′1) determining whether the service queue associated withthe STT of the received packet after the selective resetting in the step(b′) is the high-priority queue or the low-priority queue; (d′2)calculating a total packet size served through the high-priority queueif the service queue associated with the STT of the received packet isthe high-priority queue; (d′3) calculating the average load of thehigh-priority queue if it is time to recalculate the average load of thehigh-priority queue; and (d′4) proceeding to the step (e′).